DNS is invisible until it breaks. Then everything breaks. Understanding how DNS works helps you debug issues faster and configure services correctly.
The Basics# DNS translates human-readable names to IP addresses:
e x a m p l e . c o m → 9 3 . 1 8 4 . 2 1 6 . 3 4
The resolution process:
1 2 3 4 5 . . . . . B O Q R A r S u e n o e s s w c r o w s h y l e e e v r r c g e k o r c c s e a h s q c e i u h c t t e e k s o r d s i c c e a l a o s t o c n c h f r e a e i o a l g o c u t h c r a e s l c d e e h r v e r v e e e l s r o s b l a v → s e e r T d L ( D o e n . s g e T . r T , v L e 8 r . s 8 . → 8 . a 8 u ) t h o r i t a t i v e s e r v e r s
Record Types# A Record (IPv4 Address)# e x a m p l e . c o m . 3 0 0 I N A 9 3 . 1 8 4 . 2 1 6 . 3 4
Maps a name to an IPv4 address.
AAAA Record (IPv6 Address)# e x a m p l e . c o m . 3 0 0 I N A A A A 2 6 0 6 : 2 8 0 0 : 2 2 0 : 1 : 2 4 8 : 1 8 9 3 : 2 5 c 8 : 1 9 4 6
Maps a name to an IPv6 address.
CNAME (Canonical Name)# w b w l w o . g e . x e a x m a p m l p e l . e c . o c m o . m . 3 3 0 0 0 0 I I N N C C N N A A M M E E e h x o a s m t p i l n e g . . c p o r m o . v i d e r . c o m .
Alias pointing to another name. The resolver follows the chain.
Limitations:
Can’t coexist with other records at the same name Can’t be used at zone apex (example.com) MX (Mail Exchange)# e e x x a a m m p p l l e e . . c c o o m m . . 3 3 0 0 0 0 I I N N M M X X 1 2 0 0 m m a a i i l l 1 2 . . e e x x a a m m p p l l e e . . c c o o m m . .
Where to deliver email. Lower priority number = preferred.
TXT (Text)# e _ x d a m m a p r l c e . . e c x o a m m . p l e . c 3 o 0 m 0 . I 3 N 0 0 T X I T N " T v X = T s p f 1 " i v n = c D l M u A d R e C : 1 _ ; s p p f = . r g e o j o e g c l t e " . c o m ~ a l l "
Arbitrary text. Used for SPF, DKIM, DMARC, domain verification.
NS (Name Server)# e e x x a a m m p p l l e e . . c c o o m m . . 8 8 6 6 4 4 0 0 0 0 I I N N N N S S n n s s 1 2 . . p p r r o o v v i i d d e e r r . . c c o o m m . .
Authoritative name servers for the domain.
SRV (Service)# _ h t t p . _ t c p . e x a m p l e . c o m . 3 0 0 I N S R V 1 0 5 8 0 w w w . e x a m p l e . c o m .
Service location. Used by some protocols (LDAP, SIP, XMPP).
Querying DNS# dig (recommended)# 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# Basic query
dig example.com
# Specific record type
dig example.com MX
dig example.com TXT
dig example.com AAAA
# Query specific nameserver
dig @8.8.8.8 example.com
# Trace the full resolution path
dig +trace example.com
# Short output
dig +short example.com
nslookup# 1
2
nslookup example.com
nslookup -type= MX example.com
host# 1
2
host example.com
host -t MX example.com
TTL (Time To Live)# How long resolvers cache the record:
e x a m p l e . c o m . 3 0 ↑ T 0 T L i n I N s e c o n A d s ( 5 9 3 m . i 1 n 8 u 4 t . e 2 s 1 ) 6 . 3 4
Trade-offs:
Low TTL (60-300s): Fast updates, more DNS queries High TTL (3600-86400s): Fewer queries, slow updates Before migrations:
Lower TTL days in advance Make the change Wait for old TTL to expire Raise TTL again Common Patterns# Multiple A Records (Round Robin)# a a a p p p i i i . . . e e e x x x a a a m m m p p p l l l e e e . . . c c c o o o m m m . . . 6 6 6 0 0 0 I I I N N N A A A 1 1 1 0 0 0 . . . 0 0 0 . . . 1 1 1 . . . 1 2 3
Basic load distribution. Not true load balancing — no health checks.
Failover with Health Checks# Use a DNS provider with health checks (Route 53, Cloudflare):
P S r e i c m o a n r d y a : r y : a a p p i i . . e e x x a a m m p p l l e e . . c c o o m m → → 1 1 0 0 . . 0 0 . . 1 2 . . 1 1 ( ( h f e a a i l l t o h v e c r h e i c f k : p r / i h m e a a r l y t h u ) n h e a l t h y )
GeoDNS# Return different IPs based on user location:
U U U s s s e e e r r r i i i n n n U E A S U s i a → → → a a p p a i i p . . i e e . x x e a a x m m a p p m l l p e e l . . e c c . o o c m m o m → → → u e s u a - - p e w - a e s s s o t t u . . t s s h e e . r r s v v e e e r r r v s s e . . r c c s o o . m m c o m
Split Horizon DNS# Different answers for internal vs external queries:
I E n x t t e e r r n n a a l l : n e t w o r k : d d b b . . e e x x a a m m p p l l e e . . c c o o m m → → 1 ( 0 n . o 0 . r 1 e . c 5 o 0 r d ( p o r r i v d a i t f e f e I r P e ) n t I P )
AWS Route 53# 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# Create hosted zone
aws route53 create-hosted-zone --name example.com --caller-reference $( date +%s)
# List records
aws route53 list-resource-record-sets --hosted-zone-id Z1234567890
# Add/update record
aws route53 change-resource-record-sets --hosted-zone-id Z1234567890 \
'{
"Changes": [{
"Action": "UPSERT",
"ResourceRecordSet": {
"Name": "api.example.com",
"Type": "A",
"TTL": 300,
"ResourceRecords": [{"Value": "10.0.1.1"}]
}
}]
}'
Debugging DNS Issues# Check propagation# 1
2
3
4
# Query multiple public resolvers
dig @8.8.8.8 example.com +short
dig @1.1.1.1 example.com +short
dig @9.9.9.9 example.com +short
Or use online tools: dnschecker.org, whatsmydns.net
Check authoritative servers directly# 1
2
3
4
5
# Find authoritative nameservers
dig NS example.com +short
# Query them directly
dig @ns1.provider.com example.com
Check for DNSSEC issues# 1
2
dig example.com +dnssec
dig +trace +dnssec example.com
Common problems# Stale cache:
1
2
3
4
5
6
# Flush local DNS cache
# macOS
sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder
# Linux (systemd-resolved)
sudo systemd-resolve --flush-caches
Wrong nameservers at registrar:
1
2
# Check what nameservers are registered
whois example.com | grep -i "name server"
CNAME at apex:
# e # e x x ❌ a ✅ a m m I p V p n l a l v e l e a . i . l c d c i o : o d m m : . U . s C e N A A M C L A E N I A A a M S t E / A 9 z N 3 o A . n M 1 e o E 8 t 4 a h ( . p e p 2 e r r 1 x . o 6 c v . o i 3 m d 4 . e r - s p e c i f i c ) o r A r e c o r d s
Email DNS Records# SPF (Sender Policy Framework)# e x a m p l e . c o m . T X T " v = s p f 1 i n c l u d e : _ s p f . g o o g l e . c o m i n c l u d e : s e n d g r i d . n e t ~ a l l "
Specifies which servers can send email for your domain.
DKIM (DomainKeys Identified Mail)# s e l e c t o r . _ d o m a i n k e y . e x a m p l e . c o m . T X T " v = D K I M 1 ; k = r s a ; p = M I G f M A 0 . . . "
Cryptographic signature for email authentication.
DMARC (Domain-based Message Authentication)# _ d m a r c . e x a m p l e . c o m . T X T " v = D M A R C 1 ; p = r e j e c t ; r u a = m a i l t o : d m a r c @ e x a m p l e . c o m "
Policy for handling SPF/DKIM failures.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
resource "aws_route53_zone" "main" {
name = "example.com"
}
resource "aws_route53_record" "www" {
zone_id = aws_route53_zone . main . zone_id
name = "www.example.com"
type = "A"
ttl = 300
records = [ "10.0.1.1" ]
}
resource "aws_route53_record" "api" {
zone_id = aws_route53_zone . main . zone_id
name = "api.example.com"
type = "A"
alias {
name = aws_lb . api . dns_name
zone_id = aws_lb . api . zone_id
evaluate_target_health = true
}
}
DNS is foundational infrastructure. Changes propagate slowly (respect TTLs), mistakes affect everyone (email, web, APIs), and debugging requires understanding the resolution chain.
Lower TTLs before changes. Test with dig against authoritative servers. Monitor for DNSSEC issues. The outage that looks like “the server is down” is often DNS — check it first.